Integrity of messages

Similar documents
Data Integrity. Modified by: Dr. Ramzi Saifan

Data Integrity & Authentication. Message Authentication Codes (MACs)

CS408 Cryptography & Internet Security

V.Sorge/E.Ritter, Handout 6

Cryptographic Hash Functions

Cryptographic hash functions and MACs

Message Authentication Codes and Cryptographic Hash Functions

Data Integrity & Authentication. Message Authentication Codes (MACs)

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Introduction to Cryptography. Lecture 6

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Cryptographic Hash Functions

Network and System Security

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Generic collision attacks on hash-functions and HMAC

P2_L8 - Hashes Page 1

1 Defining Message authentication

Cryptographic Hash Functions. William R. Speirs

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

ENEE 459-C Computer Security. Message authentication

Lecture 1: Course Introduction

Lecture 1 Applied Cryptography (Part 1)

Message authentication codes

Cryptography. Summer Term 2010

Lecture 4: Authentication and Hashing

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Spring 2010: CS419 Computer Security

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

COMP4109 : Applied Cryptography

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Multiple forgery attacks against Message Authentication Codes

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Cryptography and Network Security

CS155. Cryptography Overview

CSCE 715: Network Systems Security

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

S. Erfani, ECE Dept., University of Windsor Network Security

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Cryptographic Checksums

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

CSC574: Computer & Network Security

Symmetric Encryption 2: Integrity

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Jaap van Ginkel Security of Systems and Networks

Winter 2011 Josh Benaloh Brian LaMacchia

Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

Course Administration

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Message authentication

Digests Requirements MAC Hash function Security of Hash and MAC Birthday Attack MD5 SHA RIPEMD Digital Signature Standard Proof of DSS

Lecture 4: Cryptography III; Security. Course Administration

Security Requirements

Cryptographic Hash Functions

Symmetric Crypto MAC. Pierre-Alain Fouque

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

Introduction to Software Security Hash Functions (Chapter 5)

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

CIS 4360 Secure Computer Systems Symmetric Cryptography

Hashing (Message Digest)

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Feedback Week 4 - Problem Set

Hash functions & MACs

COMP4109 : Applied Cryptography

CSE 127: Computer Security Cryptography. Kirill Levchenko

CS155. Cryptography Overview

CPSC 467b: Cryptography and Computer Security

Hashing, One-Time Signatures, and MACs. c Eli Biham - March 21, Hashing, One-Time Signatures, and MACs

CIT 480: Securing Computer Systems. Hashes and Random Numbers

Cryptography: More Primitives

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Lecture 4: Hashes and Message Digests,

Appendix A: Introduction to cryptographic algorithms and protocols

e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text

Computer Security: Hashing

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CS Computer Networks 1: Authentication

Overview of Cryptography

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

Message Authentication and Hash function

1.264 Lecture 28. Cryptography: Asymmetric keys

UNIT - IV Cryptographic Hash Function 31.1

Chapter 11 Message Integrity and Message Authentication

Transcription:

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 106 Integrity of messages Goal: Ensure change of message by attacker can be detected Key tool: Cryptographic hash function Definition A cryptographic hash function is a function from bitstrings of [almost] arbitrary length to bitstring of a fixed length n such that For any message or string x, h(x) is easy to compute. h is one-way, i.e., it is hard to invert, in the sense that for any y it is computationally infeasible to find an x such that y = h(x) h is collision-resistant, i.e., for any x it is computationally infeasible to find an x such as h(x) = h(x ).

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 107 Uses of hash functions Example: MD5 used for verifying integrity of ubuntu packages Each package comes with MD5-hash. Idea is to confirm MD5-hash by a secure channel (phone? another website?) or to sign hashes with private key (see later).

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 108 Collision-resistance A hash function necessarily has loads of collisions. This can be seen just by considering the size of the input message space and the size of the output message space. For SHA-1, the input is a message up to length 2 64 1 bits. The output is a message of length 160 bits. So, on average, each possible output corresponds to a vast number of inputs! Collision-resistance means that it is computationally hard to find a single collision. If a single collision is found, the hash function is considered broken.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 109 Collision-resistance Collision resistance implies that changing just one bit of the input should completely change the output; e.g., that might mean that typically half of the output bits are changed. Example echo "The quick brown fox jumps over the lazy dog" sha1sum be417768b5c3c5c1d9bcb2e7c119196dd76b5570 echo "The quick brown fox jumps over the lazy dof" sha1sum 71451f4d87fe0e866ec8ebc57f5379b23fa2921f In binary: 101111100100000101110111011010001011010111000011110001011100... 011100010100010100011111010011011000011111111110000011101000... Of the 60 bits shown, 27 have changed.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 110 Birthday paradox Suppose there are 23 people in the room. The chance that someone has my birthday is approximately 0.06. The chance that some two of them have the same birthday is much higher: it is approximately 0.5. Suppose there are 50 people in the room. Then these probabilities become 0.13 and 0.96.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 111 One-way vs collision-resistant One-way: given y, infeasible to find x such that h(x) = y. Collision-resistant: Infeasible to find distinct x and x such that h(x) = h(x ). The work needed to break collision-resistance is much less than the work needed to break one-way. If it takes 2 n operations to break one-way, then it takes only approximately 2 n/2 operations to break collision resistance. The birthday paradox is one way to understand this distinction. Moral: a hash function that outputs n bits has at most n/2 bits of security.

MD4 128-bits hash length. Proposed 1990. Collisions found 1995. MD5 128-bits hash length. Proposed 1992. Collisions found 2004 after years of effort. Nowadays, collisions can be found in seconds on an ordinary PC. SHA-1 160-bits hash length. Proposed 1995. No collisions have been found. However, it has been shown that they could be found with around 2 65 operations vastly less than the theoretical 2 80. No longer recommended to be used (but still in widespread use). SHA-2 224, 256, 384, or 512 bits hash length. Proposed 2001. No collisions found for any of the bit lengths. Still considered secure, though there are erosions. SHA-3 variable digest size. Proposed 2015. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 112 Example

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 113 The Merkle-Damgård Construction Merkle-Damgård Construction produces a cryptographic hash function from a compression function shown as f below. Idea: Apply compression function repeatedly Source: Wikipedia MD4, MD5, SHA-1 and SHA-2 all use the Merkle-Damgard construction. Only SHA-3 does something completely different.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 114 The algorithm for MD4 First, the message is padded to a length that is 64 bits less than a multiple of 512 bits. The padding is 1 followed by a string of 0s. A 64 bit representation of the length of the (unpadded) message is added. A, B, C, D are initialised to some fixed constants (they re just part of the definition of MD4). The message is split into 512 bit blocks. Each block is processed in turn: The compression function is applied to A,B,C,D and the current block, resulting in a new value of A,B,C,D. The hash value is the final value of A,B,C,D.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 115 The compression function for MD4 Input: 512 bit block of the message, and current value of A,B,C,D. Output: new values of A,B,C,D. The 512 bit message is split into 16 chunks M 0,..., M 15 of 32 bits each Three rounds, each of 16 steps, are used to transform A,B,C,D into new values of A,B,C,D. Each of the 16 steps consumes one of the chunks of the message. The rounds make use of three special functions, one for each round: F (X, Y, Z) = (X Y ) ( X Z) G(X, Y, Z) = (X Z) (Y Z) (X Z) H(X, Y, Z) = X Y Z

Source: Wikipedia Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 116 One of the 16 steps from one of the rounds of MD4. In the picture, M i is the 32-bit chunk of the message the step consumes. K i is a 32-bit constant

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 117 MD5 Same parameters, same initialisation vector Adds fourth round with a different non-linear function I (X, Y, Z) = Y (X Z)

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 118 SHA-1 SHA-1 extends hash size to 160 bits Extension of MD4 (same non-linear functions used) Message blocks used differently Current usage: TLS, SSL, SSH, BitTorrent Source: Wikipedia

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 119 SHA-2 Successor of SHA-1 Introducing more bitwise operations increasing block sizes increasing hash length... but essentially the same ideas.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 120 A hash function can be used to guarantee the integrity of messages (e.g., the integrity of downloaded software). However, a hash function alone is insufficient to guarantee the authenticity of messages (i.e., the fact that a message came from a particular source). If you merely use a hash function, the attacker can modify message and recompute hash. To guarantee authenticity, we use a message authentication code a keyed hash function. Assumption: Alice and Bob share key k Alice sends to Bob: m, MAC k (m). When Bob receives this message, say m, x, he computes MAC k (m) and then checks if x = MAC k (m). How to define a MAC function from a hash function?

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 121 How to define MAC from a hash function? MAC k (m) could be defined as h(k m). However, this is vulnerable to a length extension attack. Given m and h(k m), one can construct m and h(k m ) (for example, let m be m padding length(m) m ). Thus, if Alice sent the message m with MAC k (m) using this definition, the attacker could modify the message to m with MAC k (m ). The constructions MAC k (m) = h(m k). and MAC k (m) = h(k m k). have also been found to have weaknesses.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 122 HMAC HMAC k (m) defined as: ( ( HMAC k (m) = h (k opad) h (k ipad) m) ), Here, the key k is padded with zeros to the blocksize of the hash function, and ipad and opad are constants of that blocksize. The values of ipad and opad are not critical to the security of the algorithm, but were defined in such a way to have a large Hamming distance from each other and so the inner and outer keys will have fewer bits in common. This definition can be shown to have some good security properties: if you can break HMAC, then you can break the underlying hash function.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 123 CBC-MAC CBC-MAC uses CBC mode of operation for block cipher Source: Wikipedia

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 124 PMAC Hash functions, HMAC and CBC-MAC are not parallelisable PMAC addresses this issue Have two keys K and L Have function P(K, i) = K x i in F 2 n M 1 M 2... M r 1 M r P (K, 1) P (K, 2) P (K, r 1) P (K, r) K E K E K E K E L E result

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 125 Security of hash function A hash function is collision-resistant if the attacker can t output a collision. Reminder: padding scheme for Merkle-Damgard construction with block size n. Given a message M, add 10 0 msglen, where msglen is the length of the message represented as a 64 bit number. The number of 0s is the smallest number that brings the padded message to a multiple of the block size. Theorem If h is a collision-resistant compression function, and messages are padded as above, then the Merkle-Damgåard construction without a finalisation function produces a collision-resistant hash function.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 126 Security of MAC Let m be a message. Then MAC k (n) is sometimes called the tag for m. We call a MAC function secure if an attacker cannot produce a valid (message, tag)-pair which he hasn t seen before. (We assume the attacker doesn t have the key.) This is called secure against existential forgery,

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 127 Definition The MAC-game between challenger and attacker is defined as follows: The attacker does some computations and may in the process supply messages m 1,..., m n to the challenger The challenger returns t 1,..., t n to the attacker, which are the result of creating the MAC for the messages m 1,..., m n. The attacker does some more computations and then supplies to the challenger a pair (m, t), which is not equal to any of the pairs (m 1, t 1 ),..., (m n, t n ). The challenger outputs 1 if t is obtained by creating the MAC for m, otherwise he returns 0. The attacker wins the MAC-game if the challenger outputs 1.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 128 Definition We call a MAC secure if no attacker can win the MAC-game with non-negligible probability. Here, as before, the probability is a function of the key length.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 129 Example CBC-MAC is not secure (unless you add restrictions). Suppose the attacker possesses (m, t) and (m, t ). Then he can forge a third pair, (m, t ): We assume that m is more than one block long; say m = m 1 m 2... m p. Set m = m (m 1 t) m 2... m p, and t = t. Check that (m, t ) is a valid message-tag pair.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 130 CBC-MAC result Theorem Assume CBC-MAC is used only on messages of a fixed length. If the block cipher used is a secure block cipher, then CBC-MAC is a secure MAC. Another way to achieve this is to prepend the length in the message.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 131 HMAC and PMAC results Theorem If the hash function used is secure, then HMAC is a secure MAC. Theorem If the block cipher used is secure, then PMAC is a secure MAC.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback